[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd not working on ldaps?



I am trying to get slapd set up using SSL with no luck.

Here is what I've done so far:
- Followed the instructions on www.tldp.org to set up a CA for my self.
- Got OpenLDAP compiled and working on the stock ldap port
- Added some entries! (ldapsearch works here!)
- Added the following to my slapd.conf
	TLSCACertificateFile C:/openldap/build/ca/cacert.crt
	TLSCACertificatePath C:/openldap/build/ca
	TLSCertificateFile C:/openldap/build/ca/ldapcert.pem
	TLSCertificateKeyFile C:/openldap/build/ca/ldapreq.pem
	TLSCipherSuite HIGH:MEDIUM:+SSLv3
	TLSVerifyClient demand
- Started slapd with: (It asks for my password and such)
	slapd -d -1 -f slapd.conf -h "ldaps:// ldap://";
- Set up a C:\openldap\sysconf\ldap.conf file
	*** Sure would be nice to send this as a command line param! ***
	Contents:
	TLS_CACERT C:\openldap\build\ca\cacert.crt
	TLS_CACERTDIR C:\openldap\build\ca
	TLS_CERT C:\openldap\build\ca\client1cert.pem
	TLS_KEY C:\openldap\build\ca\client1req.pem
- Then tried to do this:
	ldapsearch -d -1 -Z -H "ldaps://127.0.0.1:636" -D /
	"cn=Manager,o=Acme,l=Fairfax,st=Virginia,c=US" -w secret -b /
	"o=Acme,l=Fairfax,st=Virginia,c=US" "(objectclass=*)"

And I get errors from both slapd and ldapsearch! (below is some debug
output)
What am I doing wrong?

NOTE: OpenLDAP v2.1.12
NOTE: OpenSSL v0.9.7
NOTE: OS: Win XP sp1
NOTE: I couldn't get OpenLDAP to compile so I removed the
sslv3_send_alert function call
NOTE:   damn windows...

slapd
---------------------------------------
TLS trace: SSL3 alert write:fatal:handshake failure
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS trace: SSL_accept:error in SSLv3 read client certificate B
TLS: can't accept.
TLS: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return
 a certificate .\ssl\s3_srvr.c:1978
connection_read(1292): TLS accept error error=-1 id=0, closing

Ldapsearch
-----------------------------------------
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
tls_write: want=210, written=210
	...
TLS trace: SSL_connect:SSLv3 flush data
tls_read: want=5, got=5
  0000:  15 03 01 00 02                                     .....
tls_read: want=2, got=2
  0000:  02 28                                              .(
TLS trace: SSL3 alert read:fatal:handshake failure
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect.
ldap_perror
ldap_start_tls: Can't contact LDAP server (81)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert
 handshake failure
ldap_bind_s
ldap_simple_bind_s
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_perror
ldap_bind: Can't contact LDAP server (81)
        additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert
 handshake failure